Re: Samba AD: GPO with empty or null DACL

I suspect you may need to look at the sd_flags control.

Cheers,

Garming

On 04/01/18 06:25, Thomas A. Reim via samba-technical wrote:

> Dear all,
>
> I would appreciate your support for managing the DACL of group policy
> objects on a Samba AD DC.
>
> For testing purposes I need to modify the DACL of an existing GPO to be:
>
> 1. Empty DACL
>
> 2. NULL DACL
>
> Up to now I have not been able to find a way to accomplish this task.
> Microsoft RSAT tools allow to empty the DACL, but the empty DACL is
> not stored in the directory.
>
> Command line tools on the Samba DC (ldapmodify, ldbedit) accept an
> empty DACL, but do not store it in the directory, either. Instead the
> current DACL is kept unchanged.
>
> Is there a feasible way to get these special DACLs stored in the
> directory?
>
>

Re: Samba AD: GPO with empty or null DACL

> Dear all,
>
> I would appreciate your support for managing the DACL of group policy
> objects on a Samba AD DC.
>
> For testing purposes I need to modify the DACL of an existing GPO to be:
>
> 1. Empty DACL
>
> 2. NULL DACL
>
> Up to now I have not been able to find a way to accomplish this task.
> Microsoft RSAT tools allow to empty the DACL, but the empty DACL is not
> stored in the directory.
>
> Command line tools on the Samba DC (ldapmodify, ldbedit) accept an empty
> DACL, but do not store it in the directory, either. Instead the current
> DACL is kept unchanged.
>
> Is there a feasible way to get these special DACLs stored in the directory?

I'm not entirely sure what you want to do, but I will note that Samba
refuses to consider a totally missing ntSecurityDescriptor to be an
'allow all', and just refuses all operations instead.